# SeShutdownPrivilege

### Overview

**SeShutdownPrivilege** allows a user to **shut down or restart a system**. While this may seem low impact, it can be abused in a Windows lab environment to **restart services or the entire machine**, causing certain services to execute again which can enable **privilege escalation**.

This is particularly useful when targeting:

* **Auto-start services**
* Services running as **SYSTEM**
* Services

### Why This Works

Many Windows services:

* Start automatically at boot (`StartType = Auto`)
* Run with **high privileges (SYSTEM)**
* Execute binaries/scripts from disk

If you can:

1. Modify/Replace a service binary or its execution path (due to weak permissions), and
2. **Force a reboot using SeShutdownPrivilege**

The service will restart and execute your modified payload **as SYSTEM**

### Prerequisites

You need:

* A shell as a user with:
  * `SeShutdownPrivilege` enabled
* A **vulnerable service**, such as:
  * Writable service binary
  * Writable service directory
  * Weak service permissions (modifiable config)
* Service must:
  * Be **auto-start**
  * Run as **SYSTEM**

### Steps

1. Check for `SeShutdownPrivilege` using `whoami /priv` 
2. Find auto start services using: 

   ```bash
   # Commands to find services
   wmic service get name,pathname,startmode | findstr /i /v "C:\Windows"
   Get-CimInstance Win32_Service | Where-Object {$_.StartMode -eq "Auto"}
   ```
3. Identify Vulnerable Services that are run by SYSTEM, AUTO start mode and can be replaced or writable(using `icacls`).
4. Replace the binary:

   ```bash
   copy malicious.exe "C:\Path\to\service.exe"
   ```
5. Trigger Reboot using `shutdown /r /t 0` .

### References

1. <https://juggernaut-sec.com/weak-service-file-permissions/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/group-privileges/seshutdownprivilege.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.